65% Of The 100 Largest US Hospitals And Health Systems Have Had A Recent Data Breach

In 2024, healthcare data breaches reached an all-time high, with 276,775,457 records compromised – a 64.1% increase from the previous year’s record and equivalent to 81.38% of the United States population. Despite managing sensitive patient data, findings reveal that healthcare organizations still struggle with corporate customer data protection.

According to the data presented by Cybernews Business Digital Index, 79% of the 100 largest US hospitals and health systems scored D or worse for their cybersecurity efforts. In addition, 30% have critical vulnerabilities, and 65% have had recent data breaches. 

Healthcare organizations are struggling to keep pace

The researchers' analysis results reflect weak cybersecurity postures and show that the healthcare industry performs poorly in this area. 

On the report of the Business Digital Index, which grades worldwide organisations based on their online security measures, the combined security performance of the 100 largest US hospitals and health systems shows that 45% are in the high risk (D score) category, while 34% are in the critical risk (F score) category. Only a small percentage (5%) received an A score, categorized as low risk. 

Overall, the healthcare sector received an average security score of 72 out of 100. According to the index methodology, the overall calculated value from 70 to 79 is considered high risk. Based on this, it can be predicted that Americans health data is at high risk. 

65% had a recent data breach

The analysis shows that many organizations, especially those who scored D and F, are dealing with serious security challenges, such as system secure sockets layer (SSL/TLS) configuration, data breaches, and system hosting issues.

Protecting corporate and client information is challenging when 98% of analyzed hospitals and health systems have experienced data breaches. Meanwhile, 65% of them have had a recent data breach. 

Every analyzed organization has SSL/TLS configuration issues, marking 100% in each score level. A damaged SSL/TLS setup can expose sensitive data to interception, leaving systems vulnerable to man-in-the-middle attacks and undermining user trust and data security.

Critical (30%) and high-risk vulnerabilities (42%) are common in many of the 100 largest US hospitals and health systems, affecting over a third of organizations. Nearly all analyzed organizations (82%) have system hosting issues, and 77% have stolen corporate credentials.

Also, email security, including email spoofing and password reuse issues, are notable concerns. 27% of analyzed hospitals and health systems have domains vulnerable to email spoofing, and 17% have employees reusing compromised passwords.

With such problems, cybercrooks can take over employees' online accounts, send malware, or steal sensitive information.

The West states should up their security game 

According to research results, the Midwest and South US regions are the leaders in cybersecurity, with relatively higher average security scores – 74 and 73, respectively. 

The West has the lowest average security score of 65 and requires urgent attention to catch up with the advancements seen in other areas. Meanwhile, the Northeast region shows a moderate security score with an average of 69. 

Florida, North Carolina, and Texas have the largest number of healthcare institutions in the analyzed list. The analysis results show that the top three issues across these states are data breaches, SSL/TLS configuration issues, and system hosting issues.

Texas and Florida have 100% of organizations affected by data breaches, with North Carolina showing 86%. SSL/TLS configuration issues are universal across all three states, with 100% of hospitals and health systems facing this issue.

Florida stands out, with 100% of organizations facing system hosting issues, followed closely by Texas (85%) and North Carolina (86%). 

Research Methodology

You can see the 100 of the largest US hospitals and health systems list that Cybernews research team analyzed here. 

The report evaluates risk across seven key areas: software patching, web application security, email security, system reputation, SSL/TLS Configuration, system hosting, and data breach history. The report’s Methodology is here. It provides detailed information on how researchers conducted this analysis.

About Business Digital Index

The Business Digital Index (BDI) is a new initiative by Cybernews designed to evaluate the cybersecurity health of organizations worldwide. BDI aims to help businesses by providing a clear, transparent, and independent assessment of their cyber security management. In this way, the index contributes to a more resilient digital future.

By leveraging data from reputable sources—such as IoT search engines, IP and domain reputation databases, and custom security scans—the BDI comprehensively assesses an organization's cybersecurity strength.